15-853Page :Algorithms in the Real World Generating Random and Pseudorandom Numbers

15-853Page2 Welch brings down McCarthy McCarthy: Jim, will you get the citation, one of the citations showing that this was the legal arm of the Communist Party, and the length of time that he belonged, and the fact that he was recommended by Mr. Welch. I think that should be in the record.... Welch: Senator, you won't need anything in the record when I finish telling you this. Until this moment, Senator, I think I never really gauged your cruelty, or your recklessness. … Welch: … Let us not assassinate this lad further, Senator. McCarthy: Let's, let's -- Welch: You've done enough. Have you no sense of decency, sir, at long last? Have you left no sense of decency?

15-853Page3 Random number sequence definitions Each element is chosen independently from a probability distribution [Knuth]. Randomness of a sequence is the Kolmogorov complexity of the sequence (size of smallest Turing machine that generates the sequence) – infinite sequence should require infinite size Turing machine.

15-853Page4 Outline Environmental sources of randomness Testing randomness Pseudorandom number generators Cryptographically secure random number generators

15-853Page5 Environmental Sources of Randomness Radioactive decay Radio frequency noise Noise generated by a resistor or diode. –Canada (find the data encryption section, then look under RBG1210. My device is an NM810 which is 2?8? RBG1210s on a PC card) –Colorado –Holland –Sweden Inter-keyboard timings (watch out for buffering) Inter-interrupt timings (for some interrupts)

15-853Page6 Combining Sources of Randomness Suppose r 1, r 2, …, r k are random numbers from different sources. E.g., r 1 = from JPEG file r 2 = sample of hip-hop music on radio r 3 = clock on computer b = r 1  r 2  …  r k If any one of r 1, r 2, …, r k is truly random, then so is b.

15-853Page7 Skew Correction Von Neumann’s algorithm – converts biased random bits to unbiased random bits: Collect two random bits. Discard if they are identical. Otherwise, use first bit. Efficiency?

15-853Page8 Analysis of random.org numbers John Walker’s Ent program Entropy = bits per character. Optimum compression would reduce the size of this character file by 0 percent. Chi square distribution for samples is , and randomly would exceed this value percent of the times. Arithmetic mean value of data bytes is (127.5 = random). Monte Carlo value for PI is (error 0.08 percent). Serial correlation coefficient is (totally uncorrelated = 0.0

15-853Page9 Analysis of JPEG file Entropy = bits per character. Optimum compression would reduce the size of this character file by 0 percent. Chi square distribution for samples is , and randomly would exceed this value 0.01 percent of the times. Arithmetic mean value of data bytes is (127.5 = random). Monte Carlo value for Pi is (error 0.90 percent). Serial correlation coefficient is (totally uncorrelated = 0.0).

15-853Page10 Chi Square Results The low-order 8 bits returned by the standard Unix rand() function: Chi square distribution for samples is 0.01, and randomly would exceed this value percent of the times. Improved generator due to [Park & Miller]: Chi square distribution for samples is , and randomly would exceed this value percent of the times. Random sequence created by timing radioactive decay events:timing radioactive decay events Chi square distribution for samples is , and randomly would exceed this value percent of the times.

15-853Page11 Chi Square Test Experiment with k outcomes, performed n times. p 1, …, p k denote probability of each outcome Y 1, …, Y k denote number of times each outcome occured Large X 2 indicates deviance from random chance Computed numerically. probability X 2 value calculated for an experiment with d degrees of freedom (where d=k-1, one less the number of possible outcomes) is due to chance

15-853Page12 Spectral Test Maximum distance d s between adjacent parallel hyperplanes, taken over all hyperplanes that cover the vectors x i (s) = (x i, x i+1, …, x i+s-1 ).

15-853Page13 A Different Spectral Test – Frequency Analysis One bit in a sequence of bytes, generated by hardware.

15-853Page14 Pseudorandom Number Generators Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin. John Von Neumann, 1951

15-853Page15 Linear Congruential Generator x 0 = given, x n+1 = P 1 x n + P 2 (mod N) n = 0,1,2,... (*) x 0 =79, N = 100, P 1 = 263, and P 2 = 71 x 1 = 79* (mod 100) = (mod 100) = 48, x 2 = 48* (mod 100) = (mod 100) = 95, x 3 = 95* (mod 100) = (mod 100) = 56, x 4 = 56* (mod 100) = (mod 100) = 99, Sequence: 79, 48, 95, 56, 99, 8, 75, 96, 68, 36, 39, 28, 35, 76, 59, 88, 15, 16, 79, 48, 95 Park and Miller: P 1 = 16807, P 2 = 0, N= = , x 0 = 1. ANSI C rand(): P 1 = , P 2 = 12345, N = 2 31, x 0 = 12345

15-853Page16 Plot (x i, x i+1 ) Park and Miller

15-853Page17 (x i, x i+1 ), (x i,x i+2 ), (x i, x i+2 )

15-853Page18 Matsumoto’s Marsenne Twister Considered one of the best linear congruential generators.

15-853Page19 Non-linear Generators

15-853Page20 Cryptographically Strong Pseudorandom Number Generator Next-bit test: Given a sequence of bits x 1, x 2, …, x k, there is no polynomial time algorithm to generate x k+1. Yao [1982]: A sequence that passes the next-bit test passes all other polynomial-time statistical tests for randomness.

15-853Page21 Hash Chains Hash or Encryption Function key xixi x i+1 Last bit of x i+1 (need a random seed x 0 or key value)

15-853Page22 BBS “secure” random bits BBS (Blum, Blum and Shub, 1984) –Based on difficulty of factoring, or finding square roots modulo n = pq. Fixed p and q are primes such that p = q = 3 (mod 4) n = pq (is called a Blum integer) For a particular bit seq. Seed: random x relatively prime to n. Initial state: x 0 = x 2 i th state: x i = (x i-1 ) 2 i th bit: lsb of x i Note that: Therefore knowing p and q allows us to find x 0 from x i